Allow b tag and style attribute #1677

Rokt33r · 2018-03-14T04:05:57Z

No description provided.

Redsandro · 2018-03-15T02:28:56Z

browser/lib/markdown.js

        'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'h7', 'h8', 'br', 'b', 'i', 'strong', 'em', 'a', 'pre', 'code', 'img', 'tt',
        'div', 'ins', 'del', 'sup', 'sub', 'p', 'ol', 'ul', 'table', 'thead', 'tbody', 'tfoot', 'blockquote',
        'dl', 'dt', 'dd', 'kbd', 'q', 'samp', 'var', 'hr', 'ruby', 'rt', 'rp', 'li', 'tr', 'td', 'th', 's', 'strike', 'summary', 'details'
      ],
      allowedAttributes: {
        '*': [
+          'style',


After taking some time to reflect, I feel in my heart that this is very tempting but a bad idea. Please see #1672 (comment) where I try to explain that it doesn't matter that you cannot do a known xss. style is a known problematic attribute, and a potent target for new exploits.

Allow b tag and style attribute

f3d59a9

This was referenced Mar 14, 2018

SECURITY HOTFIX - Remove XSS attack #1634

Merged

HTML tags not rendered anymore? #1672

Closed

Rokt33r added the next release (v0.11.3) label Mar 14, 2018

Rokt33r merged commit 826a67b into master Mar 14, 2018

Rokt33r deleted the allow-more branch March 14, 2018 04:09

Redsandro reviewed Mar 15, 2018

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow b tag and style attribute #1677

Allow b tag and style attribute #1677

Rokt33r commented Mar 14, 2018

Redsandro Mar 15, 2018

Allow b tag and style attribute #1677

Allow b tag and style attribute #1677

Conversation

Rokt33r commented Mar 14, 2018

Redsandro Mar 15, 2018

Choose a reason for hiding this comment